Debian Bug report logs -
#850158
php7.0: CVE-2017-5340: Use of uninitialized memory in unserialize()
Reported by: Henri Salo <henri@nerv.fi>
Date: Wed, 4 Jan 2017 13:57:02 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Found in version php7.0/7.0.14-2
Fixed in version 7.0.15-1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Forwarded to https://bugs.php.net/bug.php?id=73832
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#850158; Package php7.0.
(Wed, 04 Jan 2017 13:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(Wed, 04 Jan 2017 13:57:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Package: php7.0
Version: 7.0.14-2
Severity: important
Tags: security, upstream, fixed-upstream
There was found a bug showing that PHP uses uninitialized memory during calls to
`unserialize()`. As the following report shows, the payload supplied to
`unserialize()` may control this uninitialized memory region and thus may be
used to trick PHP into operating on faked objects and calling attacker
controlled destructor function pointers. The supplied proof of concept exploit
practically demonstrates the issue by executing arbitrary code solely by passing
a specially crafted string to `unserialize()`. Even though this particular demo
exploit only works locally this flaw is very likely to also allow for remote
code execution.
Upstream bug report for additional details: https://bugs.php.net/bug.php?id=73832
Fix: https://gist.github.com/anonymous/9fbe5ccbe8e18659bec11ac963fd07a3
- --
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJYbP5hAAoJECet96ROqnV0rmIP/j0HpcNDEpNJTeR+JN75jC90
quuTqH98Neibb3WZEHHHksFVbKohmDm/KVQ1E7AWe6+zZ4FfEoPOsBkhoK2Swfv0
VTB7NVKFhlqmPwnVaB3l/6fc58mtyy6ljPcd/KIr1n3DCRbHgo13QmsgHBFSoqMs
WhJ0CB4NR87/qGqmuHabT1wkzwIB90uApbwBlDRpPTA54XWLRPoIZNlb3roh8RGD
lVb9Nb5vUZMGbrL376r6PkL+sZ6QcKemrGF3ZZqiirKcCfstYzhuftPgGLIGc0B2
Ud3IcH5wjxd/h4s4DA9SjZwnYbOlt76e3kcZbUZ4rJF1SEUAr0hfjRcbrEEj/0Ni
5B/z5H+miK4xAy+gyYemKELWhyrjSE5n2f5rN0SEJtTiaoF2XESLFP8HsuVzZyox
KOte7ekNIX0Ev+UvmEGeXawlqKRR+xuIYfS9obpgtbWYOZa1zdKMJz8VFfSun2MQ
9aK5B6icbeGTjB+ilKINv7UqLXArZw4WokAVBKRFXRpdAOjBBdGp9u0lIp2vNcru
hM6wc/lXShs7JlpQ3Rx0OMSv48u94NwwUw+otJcBg7lc5BoGlQSTqIObIUk4uuyY
abCYVpGBQN/qzGB/lULpt4ExxHEzDHC3pRimBGM6vGdThXOHKFi4VwlMf39UXaLl
rxvwtgdjnNAafVGc/H4g
=lHoz
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#850158; Package php7.0.
(Wed, 04 Jan 2017 14:27:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Ondřej Surý <ondrej@sury.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(Wed, 04 Jan 2017 14:27:06 GMT) (full text, mbox, link).
Message #12 received at 850158@bugs.debian.org (full text, mbox, reply):
Hi,
any web application that allows passing unsanitized data to
unserialize() is doomed, so I don't really think that this requires
immediate attention.
This will get fixed in a normal security cycle with next PHP release (or
I'll add the patch on top of next release).
Cheers,
--
Ondřej Surý <ondrej@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware,
fast DNS(SEC) resolver
Vše pro chleba (https://vseprochleba.cz) – Mouky ze mlýna a potřeby pro
pečení chleba všeho druhu
On Wed, Jan 4, 2017, at 14:53, Henri Salo wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Package: php7.0
> Version: 7.0.14-2
> Severity: important
> Tags: security, upstream, fixed-upstream
>
> There was found a bug showing that PHP uses uninitialized memory during
> calls to
> `unserialize()`. As the following report shows, the payload supplied to
> `unserialize()` may control this uninitialized memory region and thus may
> be
> used to trick PHP into operating on faked objects and calling attacker
> controlled destructor function pointers. The supplied proof of concept
> exploit
> practically demonstrates the issue by executing arbitrary code solely by
> passing
> a specially crafted string to `unserialize()`. Even though this
> particular demo
> exploit only works locally this flaw is very likely to also allow for
> remote
> code execution.
>
> Upstream bug report for additional details:
> https://bugs.php.net/bug.php?id=73832
> Fix: https://gist.github.com/anonymous/9fbe5ccbe8e18659bec11ac963fd07a3
>
> - --
> Henri Salo
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQIcBAEBAgAGBQJYbP5hAAoJECet96ROqnV0rmIP/j0HpcNDEpNJTeR+JN75jC90
> quuTqH98Neibb3WZEHHHksFVbKohmDm/KVQ1E7AWe6+zZ4FfEoPOsBkhoK2Swfv0
> VTB7NVKFhlqmPwnVaB3l/6fc58mtyy6ljPcd/KIr1n3DCRbHgo13QmsgHBFSoqMs
> WhJ0CB4NR87/qGqmuHabT1wkzwIB90uApbwBlDRpPTA54XWLRPoIZNlb3roh8RGD
> lVb9Nb5vUZMGbrL376r6PkL+sZ6QcKemrGF3ZZqiirKcCfstYzhuftPgGLIGc0B2
> Ud3IcH5wjxd/h4s4DA9SjZwnYbOlt76e3kcZbUZ4rJF1SEUAr0hfjRcbrEEj/0Ni
> 5B/z5H+miK4xAy+gyYemKELWhyrjSE5n2f5rN0SEJtTiaoF2XESLFP8HsuVzZyox
> KOte7ekNIX0Ev+UvmEGeXawlqKRR+xuIYfS9obpgtbWYOZa1zdKMJz8VFfSun2MQ
> 9aK5B6icbeGTjB+ilKINv7UqLXArZw4WokAVBKRFXRpdAOjBBdGp9u0lIp2vNcru
> hM6wc/lXShs7JlpQ3Rx0OMSv48u94NwwUw+otJcBg7lc5BoGlQSTqIObIUk4uuyY
> abCYVpGBQN/qzGB/lULpt4ExxHEzDHC3pRimBGM6vGdThXOHKFi4VwlMf39UXaLl
> rxvwtgdjnNAafVGc/H4g
> =lHoz
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#850158; Package php7.0.
(Wed, 04 Jan 2017 16:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(Wed, 04 Jan 2017 16:15:05 GMT) (full text, mbox, link).
Message #17 received at 850158@bugs.debian.org (full text, mbox, reply):
Hi Ondřej
On Wed, Jan 04, 2017 at 03:24:22PM +0100, Ondřej Surý wrote:
> Hi,
>
> any web application that allows passing unsanitized data to
> unserialize() is doomed, so I don't really think that this requires
> immediate attention.
>
> This will get fixed in a normal security cycle with next PHP release (or
> I'll add the patch on top of next release).
Yes that sounds fine.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#850158; Package php7.0.
(Wed, 11 Jan 2017 07:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(Wed, 11 Jan 2017 07:21:03 GMT) (full text, mbox, link).
Message #22 received at 850158@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 php7.0: CVE-2017-5340: Use of uninitialized memory in unserialize()
Hi
MITRE had assigned CVE-2017-5340 for this issue. Can you add the CVE
reference to the upstream bug?
Regards,
Salvatore
Changed Bug title to 'php7.0: CVE-2017-5340: Use of uninitialized memory in unserialize()' from 'Use of uninitialized memory in unserialize()'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 850158-submit@bugs.debian.org.
(Wed, 11 Jan 2017 07:21:03 GMT) (full text, mbox, link).
Bug 850158 cloned as bug 852022
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 20 Jan 2017 19:15:02 GMT) (full text, mbox, link).
Marked as fixed in versions 7.0.15-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 25 Jan 2017 12:15:10 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 25 Jan 2017 12:15:11 GMT) (full text, mbox, link).
Notification sent
to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer.
(Wed, 25 Jan 2017 12:15:11 GMT) (full text, mbox, link).
Message sent on
to Henri Salo <henri@nerv.fi>:
Bug#850158.
(Wed, 25 Jan 2017 12:15:13 GMT) (full text, mbox, link).
Message #35 received at 850158-submitter@bugs.debian.org (full text, mbox, reply):
close 850158 7.0.15-1
thanks
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 09 Oct 2018 07:29:35 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:31:48 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon